Target was the victim of a major security breach over the holiday season last year, and as a result, the retail chain is calling for the implementation of smartcards.

John J. Mulligan, chief financial officer and executive vice president for Target, wrote his company's case for smartcards in The Hill this week, saying that the business community in the U.S. needs to embrace the new technology together.

Smartcards, unlike current credit and debit cards used in the U.S., have a tiny microprocessor chip that encrypts the user's personal data shared with the merchant's sales terminals. Traditional credit and debit cards have a magnetic strip instead, which hold's the user's information, but can clearly be compromised. If a smartcard number is stolen, it's useless without the microchip.

To show Target's dedication to the smartcard cause, it's speeding up its goal of bringing its REDcard smartcards to all Target stores by early 2015 -- six months earlier than its previous goal. The chain is making a $100 million investment in the technology to accomplish this goal.

Mulligan also noted that the requirement of a four-digit PIN number with all smartcard transactions could further protect customer information.

[SOURCE: ABC News]

Target said other countries like Canada and the United Kingdom have already deployed smartcards, and that cases of lost or stolen cards have decreased since they've done so. However, the U.S. is slow to adopt the technology because the cards are expensive to produce, and merchants, issuers, banks and the networks haven't found a way to share the costs.

"The reported attacks on Target and Neiman Marcus underline the need to do more," said Mulligan. "At Target, we know we have work to do. For years, we made significant investments in security. We had multiple layers of protection in place. But we still came under attack by sophisticated, global criminals. We will do everything we can to further strengthen Target's systems."

Target attempted to deploy chip-enabled cards around 10 years ago, but since it was the only retailer to do so on that scale, it failed. The cards were too expensive to produce, and since Target was the only one with such a card, customers couldn't use it elsewhere, making it inconvenient and a bit confusing.

Target's breach ran from November 27 through December 15, where customer information like their names, card numbers, expiration dates and CVV verification codes were compromised. Around 40 million customers had their credit cards compromised and 70 million had their customer records stolen.

quote: The problem in this case isn't that the credit cards are insecure, in and of themselves - it's that Target stored as$loads of customer data, along with credit card data, and then got hacked and gave all that data away.

It is illegal for a merchant to store your credit card number without your authorization. The cards which were compromised in the card reader hack had the numbers stolen at the moment the transaction was being made. Target didn't store anything that wasn't necessary to complete the transaction. The cards which were compromised in the database hack were stored with the cardholder's permission (they told the Target website to save the card number to make future purchases easier).

quote: Which has nothing to do with the cards - smart or otherwise.

Please try to understand how this technology works. Without the physical smart chip itself, anything Target stores in their database is useless for completing a new purchase transaction.

The chip contains a private key from a private/public key pair. When you make the transaction, the transaction data is sent to the chip which encodes it with the private key. That encoded data is then sent to the credit card processor who has the corresponding public key. Only a transaction encoded by that private key can be decoded by that public key. If you try to fake the transaction with a different key, decoding it with the public key produces gobbledygook.

In other words, you must have the physical card in your possession to complete the transaction. None of this nonsense we have today where anyone who takes a picture of, memorizes, copies, writes down, or steals the card number has done the same thing as stealing your physical card.

What is with you people constantly ignoring the one and only argument I'm making, which is that the smart card chip is USELESS for online purchases?

Stop talking about smart card readers and their encryption at a retail POS terminal. That is NOT what is being discussed.

I am talking about the irrefutable fact that the smartcard chip does NOTHING for you on online purchases - which is how the VAST majority of CC fraud happens.

And for the moron who keeps saying "dude, just buy a USB card reader for online purchases - how hard is that?" First of all, please STFU and GTFO. Secondly, NO ONE is going to do that. You could probably count the number of Americans willing to buy a USB card reader, and then carry it around with them in case they want to buy something off their laptop (or tablet or whatever) at some point when they're not at home, on ONE HAND.

If you try to tell 300 million Americans that they all have to buy and keep with them a USB card reader so they can buy crap on Amazon.com, you will just get laughed at. Not happening.

And yes, the retailers can't store your card data without your consent. The problem there is that everyone consents...because it's convenient to do so. The only way that would change is if you actually made it illegal for vendors to store your CC data.

Which would also irritate vast numbers of Americans, who'd be horribly inconvenienced by having to type their CC numbers in every time...but it would work. As opposed to forcing USB card readers down everyone's throats...which doesn't have a snowball's chance in hell of working.

Just saying it is not possible does not make it true. All online companies would have to do is give the choice. Right now, you usually have payment options - 1. CC, 2. Paypal, 3. financing, etc. They could just add one more option of smartcard (requires reader). If the vendors explain it is more secure, most people would have no problem getting one. Places like Amazon could even send one out with their branding on it to people for free (or minimal cost), and have it be advertising (reminding users to use Amazon).

There is nothing about this that is impossible, no matter how much you want it to be.

Smartcards can easily be hacked on the user's side, so still online shopping is just as secure it once was. Also when there are people using Mac OS, Windows, and Linux, making smartcard readers for users will be a problem for support and security. Other devices like tablets and smartphones will increase the complexity of support and security. It just will not happen. A better way is setup a kiosk for people to buy products online instead going to the physical store. Going to a kiosk sometimes is just as inconvenient as going to the physical store. Something weird like owning a kiosk to be installed in homes could be done for just buying products online and use a computer to browse products.

quote: What is with you people constantly ignoring the one and only argument I'm making, which is that the smart card chip is USELESS for online purchases?

So lets solve the 1st problem (when you buy something at a store) with the smart card chip.

Then lets come up with a solution for online purchases.Either a USB reader for your computer to check the smart card, or you have to log into your credit cards web site and request a single use number.

That should eliminate most the problems.

Of course the crooks will adapt. They will have to result to stealing cards or passwords which will be harder.

quote: Then lets come up with a solution for online purchases. Either a USB reader for your computer to check the smart card, or you have to log into your credit cards web site and request a single use number.

1. There's no chance in hell you're going to convince America to all buy USB card readers...and then carry them around at all times in the event they want to buy something while they're not at home. The sheer absurdity of even saying such a thing is mind-boggling. The chance that you're going to get people to accept, and do, such a thing on any vaguely valid scale is precisely zero.

2. Pretty much the same with forcing you to log into your CC site before every purchase and get a one-time code. It's just simply too hard for Americans to deal with. They'll just take their business to vendors who don't force that. And if all vendors online required that action, in all honesty it would probably drive people from online shopping back to B&M.

The better option is to make it illegal for all vendors to store CC data in the first place. That way it's not in their database for hackers to steal anyway. Any remaining online fraud would then have to be individual, one-off things that can be easily managed otherwise.

How often do people need to purchase online while on the go? You keep throwing more hurdles just because for some reason you are dead set there is no way something new would work.

I would be willing to bet that a large % of online purchases are at home. If you are out and about, why not just go to the store. There could probably be solutions for when somebody has to go mobile (maybe just use the old-fashioned CC #), even if it is not-secure. You would still be able to make a large % of online purchases more secure.

You also talk about how issues like this don't happen in store, but that is absolutely false, as the Target breach (there were actually 2), one was stealing the swipes at the store, which would be completely removed from the equation with a smartcard.

Put a smart card reader (have both the CC and smart card and give people a choice) for both online and in store, and it make things much more secure. Will it be foolproof? Absolutely not, but nothing is.

There will be many people who will never use an optional smart card, but if they get their cc stolen enough times, or hear about others getting them stolen, many will be willing to look into other options. There will always be some people *motoman* that cannot deal with change, and will only do if forced, but there is not much that can be done about that.

I'm sorry, you're clearly just daft and refuse to take your head out of the sand. USB card readers as a mandatory item to make online purchases is f%cking retarded, and there is quite simply no f%cking way it would ever work.

Where are you getting mandatory? I have never said mandatory, you keep putting that up there. Read something before you respond. I said have the option of a more secure payment method. If you want to use it (and be much more safe) go ahead, otherwise you the old way, and be less secure.

Also - you say I have to be clinically insane, (maybe I am), but I can count on 1 hand how many times I have made an online purchase while out and about. The main time I want to make an online purchase is from home. The main reason most want to make online purchases is for the convenience of doing it from home, which means they are at home.

Maybe I am in the minority, and everybody is out there getting in their car and driving around just to make online purchases, but that seems like the exception rather than the rule (at least in my clinically insane mind).